clone 473571 -1 reassign -1 zope-cmfplone severity 473571 important thanks Wichert, thank you for your information. I've marked the issues as "low" since they're against best practices, and am cloning this report for zope-cmfplone in stable. I also think that justifies lowering the impact of this bug.
Thijs On Sun, June 15, 2008 13:14, Wichert Akkerman wrote: > CVE-2008-1396 is only a problem if you don't follow best practices. Best > practice here means setting up automated cycling of the server secret. > CVE-2008-1395: same thing. The reason we use such a method is that > anything else is incredibly expensive on busy sites. > > CVE-2008-1394 only holds for Plone < 3.0. Plone 3.0 uses a completely > different session implementation. > > CVE-2008-1393 is not true for Plone accounts. It only holds when using > accounts defined outside the Plone site (such as the Zope root admin > account) inside the Plone site. Again, this is against best practices. > > The CSRF issues mentioned later in the bugreport have seen a hotfix for > Plone 3.0 and are fixed in Plone 3.1. They will not be fixed in Plone 2.5. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
